Part 2 is a listing of all the items in each network checklist.
The Network Infrastructure Security Technical Implementation Guide (STIG) is for securing a Inter-networking device such as a router or a switch. It is a good source of knowledge to secure a system based on best security practices.
The guide is divided into a Infrastructure and Perimeter type device.
We also see that is it being divided up further by Router and L3 Switch type.
The check list covers many security aspects. The identification associated with each check further categorizes into:
NETxxxx – x representing a numerical value
Infrastructure Router
NETxxxx – General network security configuration checks.
NET-IPV6-xxx – IPv6 related security configuration checks.
NET-TUNL-xxx – VPN or tunnel related security configuration checks.
NET-MCAST-xxx – Multicast related security configuration checks.
Perimeter Router
NETxxxx – General network security configuration checks.
NET-IPV6-xxx – IPv6 related security configuration checks.
NET-TUNL-xxx – VPN or tunnel related security configuration checks.
NET-MCAST-xxx – Multicast related security configuration checks.
Perimeter L3 Switch
NETxxxx – General network security configuration checks.
NET-IPV6-xxx – IPv6 related security configuration checks.
NET-TUNL-xxx – VPN or tunnel related security configuration checks.
NET-MCAST-xxx – Multicast related security configuration checks.
NET-NAC-xxx – Network Admission Control related security configuration checks.
NET-SRVFRM-xxx – Server Farm related security configuration checks.
NET-VLAN-xxx – Virtual LANs related security configuration checks.
Infrastructure L3 Switch
NETxxxx – General network security configuration checks.
NET-IPV6-xxx – IPv6 related security configuration checks.
NET-TUNL-xxx – VPN or tunnel related security configuration checks.
NET-MCAST-xxx – Multicast related security configuration checks.
NET-NAC-xxx – Network Admission Control related security configuration checks.
NET-SRVFRM-xxx – Server Farm related security configuration checks.
NET-VLAN-xxx – Virtual LANs related security configuration checks.
L2 Switch
NETxxxx – General network security configuration checks.
NET-NAC-xxx – Network Admission Control related security configuration checks.
NET-VLAN-xxx – Virtual LANs related security configuration checks.
The Network Infrastructure STIG is freely available from: http://iase.disa.mil/stigs/net_perimeter/network_infra/routers_switches.html
Started providing examples of what a Cisco IOS CCE would look like based on the DISA Network Infrastructure STIG checklist.
Link to the example CCE http://www.c3isecurity.com/home/cce
I may add additional entries going forward.
I had the privilege of presenting at the 7th annual IT Security Automation Conference. I represented the Apex Assurance Group where I am working on DoD IA, STIG and SCAP services.
SCAP for Inter-networking Devices
Abstract: Survey on SCAP for inter-networking devices such as routers and switches. The critical infrastructure and enterprise networks today are built on routers and switches to transport communications to endpoints and beyond. SCAP expansion into discovering and interrogating inter-networking devices fits into this continuous monitoring paradigm. The presentation will cover traditional SCAP methods used to probe devices and will discuss other methods. The presentation will also explore current and future SCAP capabilities for inter-networking devices.
Open Vulnerability and Assessment Language (OVAL) is a open standard used to assess a system. Typically used for security assessments.
There are 5 tests with the Cisco IOS OVAL definitions schema. Though limited, one could make do with what is available. From what I’ve seen you really only need two tests. The version55_test and line_test is all that is needed for a Cisco IOS DISA STIG compliance check.
Test used to parse and identify the IOS version. Below is an example of the version from the Cisco IOS Show version command.
splinter1#show version Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2010 by Cisco Systems, Inc. Compiled Thu 28-Oct-10 17:09 by prod_rel_team ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1) splinter1 uptime is 12 weeks, 6 days, 3 hours, 13 minutes System returned to ROM by power-on System image file is "flash:c2800nm-adventerprisek9-mz.150-1.M4" Last reload type: Normal Reload This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. Cisco 2851 (revision 53.51) with 509952K/14336K bytes of memory. Processor board ID FTX0925A1BF 2 Gigabit Ethernet interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) License Info: License UDI: ------------------------------------------------- Device# PID SN ------------------------------------------------- *0 CISCO2851 FTX0925A1BF Configuration register is 0x2102 splinter1#
Used to parse the the out put of the Cisco IOS show command.
Below is a example output of a Cisco IOS show process command. It lists all the process running on a IOS device. The output was cut off for brevity.
! splinter1#show processes CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0% PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process 1 Cwe 437AEFE4 168 4562 36 5428/6000 0 Chunk Manager 2 Csp 40070050 1500 1557371 0 2568/3000 0 Load Meter 3 Mwe 409C7EDC 0 1 023260/24000 0 LICENSE AGENT 4 Mwe 43891A08 0 1 023404/24000 0 EDDRI_MAIN 5 Lst 437F6030 9052256 1184857 7639 5332/6000 0 Check heaps 6 Cwe 437EF4F4 108 318 339 5492/6000 0 Pool Manager 7 Mwe 437EF460 0 1 0 5672/6000 0 DiscardQ Backgro 8 Mst 41A4566C 0 2 0 5532/6000 0 Timers 9 Mwe 409BC90C 0 1 0 5668/6000 0 License Client N 10 ME 41A5C1D4 48 294 163 9792/12000 0 Exec 11 Mwe 40117178 0 1 0 5696/6000 0 IPC Process leve 12 Mwe 4011703C 4 129774 0 5728/6000 0 IPC Dynamic Cach
Used to parse the config file for a certain Cisco IOS configuration command.
Used to test for a interface IOS commands.
Used to parse the snmp community string and snmp access-list.
Not sure what this test is for. Not all IOS versions (trains) have the TCL parser feature.
Blackwater off springs in the cybersecurity.
Jellyfish http://jellyfishintel.com
http://shaneharris.com/news/from-the-team-that-brought-you-blackwater-comes-jellyfish/
Advanced Persistent Threat (APT) continues.
From what I can tell APT is synonymous with Chinese cyber incursions. APT is used by public relations departments to imply without directly stating. There are many advantages to using such labels as it does not directly accuse. So its all part the Information Warfare (IW).
Security Firm Is Vague on Its Compromised Devices – NYT
http://www.nytimes.com/2011/03/19/technology/19secure.html?_r=1&ref=technology
RSA open letter to customers
http://www.rsa.com/node.aspx?id=3872
Securities Exchange Commission:
http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex992.htm
Lockheed
http://www.reuters.com/article/2011/05/27/us-usa-defense-hackers-idUSTRE74Q6VY20110527
L3 follow on attack?
http://www.wired.com/threatlevel/2011/05/l-3/
The recent power outage in North East Brazil begs the question, was it hacker saboteurs or natural disaster?
Brief recount of how Russia invaded Afghanistan.
http://www.foreignpolicy.com/articles/2009/12/11/how_we_invaded_afghanistan
